IBM debuts smart card-based notebook security

IBM Corp. this week plans to announce a smart card security system that is designed to prevent unauthorized access to data stored on a notebook's hard drive even when the computer is stolen.

The Smart Card Security Kit comes with a smart card and smart card reader/writer, along with security software based on RSA cryptographic technology, digital signature capability and Symantec Corp.'s Norton anti-virus software. The kit also supports Security Dynamics Technologies Inc.'s SoftID software for user control access, which must be bought separately.

The product is designed for the mobile user who needs to protect sensitive data, said Joseph Preisser, worldwide brand marketing manager for communication option products at IBM PC Co. "The hard disk files are as important as the physical asset itself," he said. "Now the only way to get access to the hard disk is using a smart card and [personal identification number] code."

A study released earlier this year by the Computer Security Institute and the FBI found that computer crime is increasing, Preisser said. Of the 520 people surveyed in government agencies, corporations, universities and financial institutions, 64 percent reported computer security breaches within the past 12 months, up from 48 percent last year.

IBM's Smart Card Security Kit is designed to thwart these breaches.

The smart card contains a PIN code, a digital signature public-key/private-key pair, a data encryption key and a reserved space for a digital certificate. The smart card reader fits into a notebook's PC Card slot. To boot up the computer, the user inserts a smart card and enters the correct PIN. The user can remove the smart card, which secures the system, without having to power off the notebook.

Data on the hard disk can be encrypted or decrypted using a key stored on the smart card. Individual files can be encrypted when saved to the hard disk and automatically decrypted when opened. Encrypted files or attachments also can be sent to an unsecure system. Digital signatures authenticate the user when sending e-mail via Netscape Communications Corp.'s Navigator or Microsoft Corp.'s Internet Explorer.

"We create a greater level of protection by putting the code and PIN on the smart card because the hard disk files can be hacked," Preisser said. "Even if the notebook is stolen and the hard drive is put into another notebook, [files] are protected using a software algorithm." Preisser said the Justice Department has expressed interest in the product to secure sensitive court files stored on notebooks carried by judges while on the road.

Michael Noll, co-director of the smart card initiatives team at the General Services Administration, said the group he chairs is interested in applications like the one offered by IBM.

However, the application would likely be one of many on a single smart card. "It has to be a multiple-application smart card. It has to perform multiple functions," Noll said.

"I don't think we could buy a smart card just to secure a laptop. We're [working] on a whole suite of security applications, and [securing a laptop] would be something we would look at. If that's an application a government user wants on a smart card, then we'll give it to them," he said.

Many users have expressed interest in a smart card that would enable them to do many things, Noll said, such as pay for hotel bills and log onto a computer for access to the agency network, regardless of whether the PC belongs to them.

The new product, which works with IBM ThinkPad and IBM-compatible computers, will be added to the GSA schedule.